Securing Groupware
Securing Groupware
Configuring Cisco Denial of Service Security Features - Part 1
Configuring Cisco Denial of Service Security Features - Part 2
Dysfunctional Controls: Useless, Impractical, Inefficient and Poorly-Designed
Your organization has invested in a groupware product, such as Notes, Domino, Collabra, Exchange or GroupWise, and you're wondering how to control it. And control it you should, since groupware is an emerging technology that's here to stay.
The market for groupware has grown dramatically in the last few years, from $430 million in 1993 to well over $3 billion today, by one estimate. That's not counting a sizable cottage industry for databases, templates and macros cropping up around these products. The rapid growth of groupware is understandable; as a business solution, it can literally transform the business process by changing the way people communicate with one another.
Common Label, Uncommon Technology
Of all the client/server software categories, "groupware" is unquestionably the most misused and misapplied term. Currently, more than 200 products are labeled groupware (given the sales record, it's no mystery why). Indeed, you might recognize groupware by one its other aliases: collaborative computing, computer-supported cooperative working or workgroup computing.
By definition, groupware is software that supports the management (creation, storage, flow, tracking) of nonstructured information in direct support of collaborative group activities. Unlike other client/server technologies, groupware is not a downsized mainframe technology, but rather a genuinely new form of computing that grew out of networking. Essentially, client/server groupware consists of five basic technologies: (1) conferencing, (2) electronic mail, (3) multimedia document management, and (4) scheduling and (5) workflow. Unfortunately, no single groupware product incorporates all these basic technologies. The primary commodity in a groupware application is a semi-structured, multimedia document that can contain a variety of data types, including text, voice, image (or BLOBs) and video.
Groupware products provide a rich suite of security controls, such as access control lists, resource control, user IDs, database replication, version control, encryption, digital signatures and password and account controls. For example, every Notes database has an access control list (ACL) specifying those users, user groups, and servers that can access the database and what tasks they can perform. Both of the ACL's elements—access levels and access roles—are set by the database designer or manager. The ACL details who can open the database and what they can do with the information.
When someone tries to open a database on a server, the server looks at their ID to see whether they have any certificates in common. When they do, access is allowed; when they don't, access is denied.
In addition to designating access levels, Notes can protect your work and the work of other users on shared databases in a variety of other ways:
-
User IDs can be protected with passwords.
-
Users are granted or denied access to Notes servers through the certificates stored in their User IDs.
-
Information can be encrypted so that only specific users can decrypt it.
-
If you're using Notes with a modem, you can use a secure modem channel.
Due to recent developments, two security functions¾ digital certificates and malware control—require a further look.
The Push for Standardized Certificates
Groupware products use certificates for authentication. Basically, a certificate is an electronic stamp attached to your user ID by a certifier, usually the application or security administrator. Certificates allow you to access specific servers, verify the identity of the sender, provide a tamper-resistant seal on a message and furnish proof that a transaction occurred.
Good groupware allows you to see information about the certificates attached to a particular user ID. Generally, the information provided about a certificate includes (a) the names of each certificate on an ID; (b) the date and time each one was created, and the date and time they expire; and (c) the ID number and name of the certifier.
Traditionally, vendors have used proprietary software to generate their certificates, which has led to non-interoperability between various groupware products. This lack of interoperability has held back groupware, especially for use over the Internet. As a result, various groupware vendors have announced plans to support the X.509 international standard for digital certificates, which will provide a better way to secure information sent over public and private networks (see table following). Adoption of the X.509 standard signals a move away from proprietary technology and toward interoperability and the simplification of security methods.
The X.509 FactorX.509 is a certification methodology that provides authenticated, encrypted access to private information. In the groupware environment, vendor support of the standard is sparse, but growing.
|
Concerns about key recovery are an impediment to the widespread use of groupware certificates. Key recovery enables businesses to use strong encryption to secure vital business data (e.g., medical records or personnel files) without fear of data loss when the keys are lost or destroyed. To work effectively, key-recovery technology scrambles and embeds key-recovery information within the message, either as a header or as an appended file. When the keys are lost or destroyed, the information in the header provides the means to decrypt the data.
Standardized certificates and key-recovery software should promote interoperability between groupware and the cross-platform exchange of documents. The increase in document exchange could, however, lead to an increase in the spread of malware.
Controlling Malware
As organizations rely on documents and e-mail to store mission-critical information, that data will require a higher level of protection. However, groupware environments such as Microsoft Exchange or Lotus Notes--which facilitate the storage and sharing of this data--can spread viruses rapidly when left unprotected.
As you might imagine, the cost of cleaning a virus infection at the network server level can be staggering. Infected server files raise the ante on virus infections, rapidly expanding a desktop infection into a network-wide virus outbreak. Although malware infections are relatively infrequent, they can seriously damage your network. And worse, getting rid of them can take days, resulting in costly downtime and the temporary loss of an essential corporate application. Given the cost of lost employee productivity and the potential loss of data, server-based virus protection is a must.
In essence, three kinds of malware can infect your network through a groupware application: (1) traditional boot-sector viruses hiding in executable programs attached to either e-mail messages or shared documents; (2) macro-viruses activated by opening a shared document file or spreadsheet; or (3) destructive logic bombs.
All three of these malware infections are dangerous, but logic bombs in particular can do severe damage. Written either as executable programs or in the programming language of the groupware environment, logic bombs invoke system-level commands to wipe out data or reformat hard disks. In a groupware application, such an attack might take the form of a button that fakes a search for related documents. When an unsuspecting user clicks on the button, the bomb erases the hard disk. Other logic bombs might grab passwords or capture personal information.
Because of their nature, logic bombs are extremely difficult to detect. Often, the bomb is written by someone whom the victim trusts, such as such as in-house or contract programmer. Often, by the time the victim discovers it, it's too late--the damage is done.
Because many logic bombs are embedded in otherwise useful code passed from user to user, catching them is extremely difficult. Moreover, it may be passed around harmlessly until reaching its intended target. By then, it's almost impossible to tell where it came from.
Once a virus gets into a groupware system, eradication becomes almost impossible. Although the virus doesn't actually infect the server, it is stored in the groupware, discussion or message database. With standard e-mail systems, the infected file is simply sent to one or more recipients. But when attached to a discussion message or integrated into a workflow document, an infected file will spread to every server hosting a copy of that discussion or workflow.
Replication not only spreads the virus rapidly but also makes it difficult to prevent re-infection. Groupware servers usually replicate to ensure that every server has the same information. Once users make changes to a discussion, for instance, the updated information is copied back to the source. So, even if you erase or clean an attached infected file from the original server, replication will restore the virus from one of the others.
Ironically, groupware security features can be a virus's unwitting accomplice. When encrypted, groupware databases are difficult to scan, as are encrypted communications between client and server and among servers.
Counter Strategies
To successfully fight malware, you must wage your campaign on several fronts. For each step, the emphasis should be on prevention.
1. Institute a comprehensive, client-side antivirus plan. Before giving users access to groupware, install software to scan and inoculate all client PCs. Commercial programs from companies like Cheyenne Software, Dr. Solomon, Network Associates and Symantec can catch most known viruses.
Although popular programs perform similarly in detection and notification of viruses, they vary in their ability to remove the virus. For instance, some antivirus programs can restore an executable file to its uninfected state; others cannot. Most programs can remove variants of the Microsoft Word Concept macro-virus without changing the document, but a few cannot.
2. Pay attention to the ease with which you can update antivirus software. When selecting antivirus software, make sure it allows you to update users centrally. Automatic updating is critical to catch the latest viruses. Some vendors require you to manually download virus updates and byte-level identifiers from a Web page. Others use push technology to distribute this information automatically. Push technology is convenient, but it also has a downside. Since it allows you to automatically distribute data, such as file-attached documents, directly onto users' desktops, it could easily and quickly spread an embedded virus across your organization unless native antivirus protection is in place.
3. Once you install a centralized antivirus system with both client and server components, make sure it's being used. Most network-based programs allow you to refuse a login request when the memory-resident portion of the virus checker isn't running on the client.
4. Consider configuring your antivirus software to quarantine (isolate) users who copy a virus to the network. With such a program in place, the software automatically logs off the offending system when a virus is detected, and no one can login again until an administrator sweeps the system for viruses.
5. When selecting a backup program, make sure it can perform "hot" backups of your groupware application. That way, you can schedule incremental backups as often as you like without bringing down the system.
Despite your best intentions, you can safely bet that viruses will, once in a while, slip past your clients and get into your groupware system. But have no fear: antivirus programs can scan groupware databases, as long as the databases aren't encrypted. If a virus gets into an encrypted database, you'll need to decrypt, scan, inoculate and re-encrypt the entire database. Or, you'll have to turn off replication and find someone with the privilege to log in to each server and manually delete the offending attachment. Even when the groupware database isn't encrypted, the person who invokes the scan must have supervisor privileges in the groupware system, not just in the network.
Antivirus Solutions
In addition to strong enterprise-wide antivirus policies, groupware antivirus software packages can help you in the war on malware (see box following). However, antivirus software remains a step behind the virus writers. So far, this gap has driven the market and put network managers constantly on the defensive. But the advantage could soon shift back to the virus vendors—and, by extension, to you.
Groupware Antivirus Solutions
|
Lotus Development Corp., for one, is keenly aware of the threat posed by groupware-distributed viruses. Notes 4.5 includes an updated API that lets antivirus software monitor attachments as they are sent from the client. In addition, Notes 4.5 includes Execution Control Lists (ECLs), a feature developed specifically to combat logic bombs. With ECLs, users can specify acceptable senders of executable and LotusScript files, as well as limit the actions of those files (e.g., prohibiting disk writes). Administrators, moreover, can set umbrella ECL policies.
The increasing popularity of Lotus Domino poses additional challenges. Because it allows businesses and organizations to collaborate over the Internet, Domino introduces a new risk to Notes users in the form of infected file attachments. As a result, harmful viruses that infiltrate Notes discussion databases and document libraries can easily infect end-users.
Empowerment Vs. Control
Because of their functionality and ease-of-use, products such as Domino, Notes, Exchange, GroupWise and Collabra excite workers who are creating collaborative client/server applications. These products allow the employees to manage unstructured data. From an empowerment perspective, this presents some exciting possibilities. However, from a control viewpoint, it is a little frightening. Groupware databases have a tendency to proliferate like tribbles on the original Star Trek Enterprise. Without proper policies for security, database replication, telecommuting, remote access and virus control, your organization may be courting disaster.